Ransomwares on Android have become a challenging threat, performing tasks such as hijacking screen resources, locking devices, and encrypting files. Even worse, with the evolution of ransomwares, many ransomwares can disable USB interfaces of mobile devices. It is difficult for users to recover their devices or decrypt files with the help of other equipment and gives monetary damages to victims. In this paper, we analyse the symmetry between the ransom behaviours and the source code of screen resource hijacked ransomwares, devices locked ransomwares and files encrypted ransomwares. We also propose strategies of recovering hijacked resources, recovering hijacked devices and decrypting encrypted files. To protect mobile devices and private files from ransomwares, we design and implement an automatic recovery application—KRRecover—which is used to recover the hijacked devices and decrypt encrypted files on Android.
